South Carolina's top officer not releasing details on 2012 hack that stole millions of tax returns


COLUMBIA (AP) — Twelve years after a hacker stole personal data from more than 3.6 million people in South Carolina by obtaining Social Security numbers and credit card information from tax returns, the state's top police officer said Wednesday he thought he knew who did it but wasn't ready to name anyone.
State Law Enforcement Division Chief Mark Keel was careful not to release many details during his confirmation hearing for another six-year term. He said what authorities didn't find shows that the state had the right response after the U.S. Secret Service identified the hack and data breach in October 2012.
"I think the fact that we didn't come up with a whole lot of people's information that got breached is a testament to the work that people have done on this case," Keel said.
A contractor with the state Department of Revenue clicked on a malicious link in an email in the summer of 2012, allowing a hacker to access 6.4 million state income tax returns. They collected the Social Security numbers of 3.6 million people and almost 400,000 credit and debit card numbers.
The state paid $12 million for identity theft protection and credit monitoring for its residents after the breach, At the time, it was one of the largest breaches in U.S. history but has since been surpassed greatly by hacks to Equifax, Yahoo, Home Depot, Target and PlayStation.
Democratic Sen. Brad Hutto has been searching for answers for over a decade and has been repeatedly told it was an active investigation and couldn't be talked about. Hutto decided to ask Keel about the breach Wednesday to try to get answers in public.
"Now you can tell us that y'all paid somebody in Azerbaijan $28,000 or whatever it was," Hutto said.
Keel refused again to say if South Carolina paid a ransom to the hacker to get the information back.
"I'm probably still not going to be totally transparent with you, OK?" Keel said. "I'm not going to lie to you either."
Keel justified the insurance for taxpayers and the federal and state investigative work by saying the quick action prevented the hacked information from being used and the proof was what didn't happen — an onslaught of bogus credit card charges or people using stolen ID information.
In retrospect, the state may not have had to spend $12 million on insurance. But that is with the benefit of hindsight, Keel said.
"We didn't really have a choice," Keel said. "It was something that we had to do because at the time this happen we had to start trying to protect people immediately. We didn't have time for the investigation to play out the way it ultimately played out."
Hutto responded: "Did it play out? Do you know who did it?"
"Yes, sir, I know who did it," Keel said, refusing to give any other details.
Hutto asked if the person had been prosecuted, then laughed and said it might have been because the person was paid off.
Keel didn't respond to the bait. "If we could ever get to this individual, they may be," he said.
The Senate subcommittee approved Keel's nomination for an additional six-year term. It now goes to the full Judiciary Committee.
Keel has worked at the State Law Enforcement Division for nearly his entire 44-year law enforcement career, other than a three-year stint as the Department of Public Safety's director.
He rose through the ranks in jobs like helicopter pilot and hostage negotiator before becoming the agency's chief of staff in 2001. He spent a year as interim director in 2007 before being passed over by then-Gov. Mark Sanford for the top job.
Gov. Nikki Haley chose Keel to lead the State Law Enforcement Division in 2011.